Risk Factors Dashboard

The Cyber Incident Reporting for Critical Infrastructure Act, enacted in March 2022, requires certain covered entities to report a covered incident to the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (“CISA”) within 72 hours after a covered entity reasonably believes an incident has occurred. Separate reporting to CISA will also be required within 24 hours if a ransom payment is made as a result of a ransomware attack.

The SEC adopted a new rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies in 2024, which applies to all public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and requires disclosure of material cybersecurity incidents in Current Reports on Form 8-K and periodic disclosure of cybersecurity risk management, strategy, and governance in Annual Reports on Form 10-K.

State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations and many states have recently implemented or modified their data breach notification and data privacy requirements. New Peoples expects this trend of state-level cybersecurity regulatory activity to continue and continues to monitor these developments.

Our Enterprise Risk Management program (“ERM”) is designed to identify, assess, and mitigate risks across various aspects of New Peoples, including financial, operational, regulatory, reputational, and legal. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. Cybersecurity is a critical component of this program. Given the increasing reliance on technology and potential cyber threats, New Peoples uses a cybersecurity framework to aid management in understanding, managing, and reducing cybersecurity risk. This framework aids management in identifying gaps within cybersecurity infrastructure and evaluating maturity of processes. Cybersecurity frameworks use maturity levels to gauge the strength of cybersecurity controls. Our information technology and vendor risk management functions assess information technology and cybersecurity third party providers as part of the initial determination process and then periodically thereafter. We use a variety of methods and tools to assess a third-party vendor’s controls related to cybersecurity threats, including obtaining proof of a provider’s independent testing of data protection controls, imposition of contractual obligations and reviews of data protection controls such as backups, encryption standards, and disaster recovery. Our Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, coordinating with our Chief Risk Officer with board oversight through our Information Technology Steering Committee and the Audit Risk and Compliance Committee. Aside from the Information Security Officer, cybersecurity support is provided by our Director of Information Technology and our Chief Information Officer. Each of these persons has over twenty years of experience primarily in financial sector information technology and information security administration and management backed by undergraduate and/or post-graduate degrees in information technology, as well as various information technology and network certifications.

We maintain a comprehensive Business Continuity Management program that includes Business Continuity, Disaster Recovery, and Incident Response planning and testing. This program is designed to minimize the impact of an information security disruption and ensure New Peoples can return to normal operations in a timely manner. The Information Security Officer is responsible for the administration and management of the program and key members of management are embedded into the program by its design. At least annually, management identifies an exhaustive list of business functions for each area of New Peoples, and lists resource requirements, assigns Recovery Time and Point Objectives, and Maximum Tolerable Period of Downtime for each function. Management then completes a comprehensive Business Impact Analysis that prioritizes business functions based on criticality and is used as a guide for business continuity and disaster recovery planning. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees, and to the Information Technology Steering Committee. The Incident Response Plan facilitates coordination across multiple parts of our organization. Business Continuity, Disaster Recovery, and Incident Response plans are updated and tested at least annually. Management performs a variety of tests on the plans including tabletop, simulation, and technical testing to ensure key personnel are prepared, recovery systems and data are viable, and Recovery Time and Point Objectives can be met. Weaknesses identified during testing are monitored until they are fully remediated. The Information Technology Steering Committee provides oversight for the Business Continuity Management Program, which includes ratification of plans and Business Impact Analysis, plan testing frequency, and remediation of identified weaknesses. The Committee ensures, based on testing, that plans are adequate to meet New Peoples’s objectives.

We engage various third parties to assist us in identifying, assessing, and responding to cybersecurity threats. This includes around-the-clock managed firewall services and managed detection and response services. In addition, we engage third parties to test the vulnerability of our cybersecurity infrastructure on a regular basis and we have a third-party assessment performed annually. A third party provides social engineering and phishing testing on a subset of bank employees annually. These third-party service providers are in regular contact with our information technology personnel, and we monitor other sources for information that any of these providers may have encountered cybersecurity threats.

All employees receive initial and ongoing training in cybersecurity awareness including such topics as email protocols, social engineering, phishing tactics, and security of Bank issued computers and other devices. Management conducts regularly phishing testing on all employees and assigns additional training when necessary. Employees with privileged access receive additional relevant training. Key personnel pursue training in their respective disciplines on a continual basis.

In the ordinary course of its business, the Bank relies on electronic communications and information systems to conduct its operations and to store sensitive data and employs a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding these defensive measures, the threat from cybersecurity attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our company. The Bank’s systems and those of its customers and third-party service providers are under constant threat and it is possible that we could experience a future significant event. The Bank expects risks and exposures related to cybersecurity attacks to remain high for the foreseeable future.